Symantec knocks half a million computers out of the ZeroAccess botnet

Symantec announced earlier this week that it has removed 500,000 computers from one of the world's largest botnets. The ZeroAccess botnet has infected over 1.9 million computers, and allows its creator to control these machines remotely. The botnet is thought to deploy its zombie army towards two major activities – click fraud and bitcoin mining.

Click fraud is a means of raising revenue through false clicks on pay-per-click online ads. The Trojan downloads the ads and then generates clicks in a way that mimics human interaction in order to avoid detection. Generating around 42 false clicks per hour, this activity can create tens of millions of dollars for the botnet puppet master.

The second activity is bitcoin mining. The online currency has grown in popularity since its release in 2009, and at the time of writing one bitcoin is worth £81.14. Since a stable currency has to be based on scarcity, bitcoins need to be mined using processes based on mathematical algorithms.

Botnet creators use the amassed computing power of their slave machines to generate this virtual currency, and could be generating hundreds of thousands of pounds every year. This results in a massive expenditure of energy, as machines are forced to perform complex computing even while idle.

In a statement released on Monday, Symantec announced that it had spent months developing an ingenious way to "sinkhole" infected computers, effectively liberating them from the botnet. After noticing that a wave of updates was sweeping through the botnet and patching up the same vulnerability they had spotted, Symantec acted quickly and released their own fix. The sinkholing process spread from bot to bot at a rate of about five minutes per transfer, and quickly resulted in the detachment of over half a million bots.

The liberation of such a large number of computers could save approximately 864 MWh/day, or enough to power 27,000 homes. That would amount to a saving in electricity costs of over $140,000 (£86,500).

While the ZeroAccess botnet is still active, and could easily resurge to former numbers, its spread has been tempered by Symantec's actions, and the revenue stream of its owners has been interrupted. The Symantec program is also being used to clean even more infected PCs.

Image: Flickr (mmckeay)